b'National Aeronautics and\nSpace Administration\n\nOffice of Inspector General\nWashington, DC 20546-0001\n\n\n\n                                                       April 28, 2008\n\nTO:              Associate Administrator for Institutions and Management\n                 Chief Information Officer\n\nFROM:            Assistant Inspector General for Investigations\n\nSUBJECT:         Lost and Stolen Laptop Computers\n\n\nThe purpose of this memorandum is to recommend management action regarding recent\nreports of lost and stolen laptops and other computer equipment.\n\nDuring the past calendar year, we have received nine reports of lost and stolen computer\nequipment, the most recent being a NASA employee who, while on travel, left her laptop\ncomputer unattended on a chair in a common area of a restroom \xe2\x80\x93 while she used the\nfacilities. Other reports of stolen laptops included ones that have been taken from NASA\nemployees in a variety of other circumstances, to include thefts from unsecured vehicles, the\nworkplace, or from home. While the amount of physical losses is small compared to\nNASA\xe2\x80\x99s overall laptop inventory, the loss of one laptop (depending on the data therein)\ncould have a profound impact on Agency operations \xe2\x80\x93 to include risks to employee privacy.\nFortunately, these cases don\xe2\x80\x99t appear to raise these issues, although more work needs to be\ndone.\n\nThis office recognizes the difficulty of stopping a determined thief from perpetrating a\nplanned theft requiring access to unauthorized or protected areas like a home, a locked car,\nor the work place. But unfortunately, most of the reports we\xe2\x80\x99ve received point toward a\nNASA employee\xe2\x80\x99s negligence as being a contributing factor to the loss. This is troubling,\nbecause according to NASA regulations, NASA employees have duties and obligations\nregarding the protection of NASA\xe2\x80\x99s data and equipment. For example, NPR 2810.1A,\nSecurity of Information Technology, requires employees to comply with policies and\nprocedures to protect unclassified NASA information; and NPD 4200.1B, Equipment\nManagement, requires employees to safeguard and prudently operate assets issued to them.\nOther regulations set forth employee requirements pertaining to protection of sensitive but\nunclassified information 1 \xe2\x80\x93 which often is found on NASA laptops.\n1\n  NPR 1600.1, NASA Security Program Procedural Requirements, defines Sensitive But Unclassified (SBU)\nControlled Information/Material as unclassified information or material determined to have special protection\nrequirements to preclude unauthorized disclosure to avoid compromises, risks to facilities, projects or\nprograms, threat to the security and/or safety of the source of information, or to meet access restrictions\nestablished by laws, directives, or regulations. This information includes ITAR, Privacy Act, Proprietary and\nother types of information that the Agency has determined to be sensitive; NASA employees are obligated to\nsafeguard and protect this information. NASA employees are also required to protect Personally Identifiable\nInformation, as defined by NPR 1382.1, NASA Privacy Procedural Requirements.\n\x0cWe also recognize the inherent challenges associated with protecting laptops and other\nsmall, transportable data items (like memory sticks) that are highly susceptible to loss and\ntheft. But we also believe that the recent amounts of loss and their attendant circumstances\nsuggest that NASA can do better in protecting our equipment and information \xe2\x80\x93 possibly\nthrough increased situational awareness and training. We all know that systemic, passive,\nand reasonable common sense measures taken by our employee workforce are the best steps\nto protect our equipment and information from physical and virtual theft.\n\nPlease be assured that this office, in coordination with the Federal Bureau of Investigation\nand NASA\xe2\x80\x99s Office of Security and Program Protection, remains committed to doing\neverything we can to ensure that those who commit these NASA-related crimes are held\naccountable. This year, we apprehended, indicted, convicted, and imprisoned a Johnson\nSpace Center security guard and his fence who were stealing and selling laptops (and other\nelectronic equipment) belonging to the Johnson Space Center. And in recent years, we\xe2\x80\x99ve\nalso had successful prosecutions involving laptops at Marshall Space Flight Center and\nGlenn Research Center. Other NASA laptop-related cases are still under investigation, and\nwe stand ready to assist the Agency should you bring other such cases to our attention.\n\nIn the meantime, however, we recommend that the Agency review its present policies 2 on\nthis subject matter, with a view toward taking steps to raise or renew the awareness of the\nabove-mentioned regulations and safeguarding assigned computers and peripherals, while in\nthe office, at home, and on travel. On a related topic, a June 2007 report by the Government\nAccountability Office was critical of NASA\xe2\x80\x99s lack of accountability and weak internal\ncontrols pertaining to equipment losses, theft and misuse -- which we also commend for\nyour review in this context. 3\n\nWe respectfully request a response to this memorandum within 30 days. I am available for\nquestions regarding this matter at (202) 358-2580 or you can contact the Deputy Assistant\nInspector General for Investigations, Matt Kochanski at (202) 358-2576.\n\n\n    signed\nKevin H. Winters\n\ncc:\nChief of Staff/Mr. Morrell\nGeneral Counsel/Mr. Wholley\n\n\n\n\n2\n  This includes the Deputy Administrator\xe2\x80\x99s October 2, 2007, memorandum, \xe2\x80\x9cSafeguarding Sensitive but\nUnclassified Information.\xe2\x80\x9d\n3\n  See, GAO-07-432, Property Management, Lack of Accountability and Weak Internal Controls Leave NASA\nEquipment Vulnerable to Loss, Theft and Misuse, June 2007.\n\x0c'